Our Policy Overview
Our policies set out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
We are committed to:
- ensuring that we comply with the eight data protection principles set out in the Data Protection Act 1998 (“the Act”), as listed below;
- meeting our legal obligations as laid down by the Act;
- ensuring that personal data is collected and used fairly and lawfully;
- processing personal data only in order to meet our operational needs or fulfill legal requirements;
- taking steps to ensure that personal data is up to date and accurate;
- establishing appropriate retention periods for personal data;
- ensuring that data subjects' rights can be appropriately exercised;
- providing adequate security measures to protect personal data;
- ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues and enquiries;
- ensuring that all staff are made aware of good practice in relation to data protection;
- providing adequate training for all staff responsible for maintaining the security of personal data;
- ensuring that everyone handling personal data knows where to find further guidance if required;
- ensuring that queries about data protection, internal and external to Toolboxx Ltd, is dealt with effectively and promptly; and
- regularly reviewing data protection procedures and guidelines within the organisation.
Data Protection Principles
- The eight principles in relation to the protection of personla data set out in the Act are listed below.
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
- Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Data Protection Policy
We need to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. This policy describes how personal data must be collected, handled and stored to meet the Toolboxx Ltd data protection standards and to comply with the law.
Why this policy exists
This data protection policy (“DP Policy”) ensures Toolboxx Ltd:
- Complies with data protection law and follows good practice in relation to personal data;
- Protects the rights of staff, customers and partners;
- Is open about how it stores and processes the personal data of individuals;
- Protects itself from the risks of a breach of personal data held.
Data Protection Law
The Data Protection Act 1998 (“the Act”) describes how organisations, including Toolboxx Ltd, must collect, process and store personal information belonging to individuals. The Act sets out obligations which apply regardless of whether personal data is stored electronically, on paper or other material. To comply with the law, personal data must be collected and used fairly, stored safely and not disclosed unlawfully.
The Act is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully;
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (“EEA”), unless that country or territory also ensures an adequate level of protection.
- People, risks and responsibilities Policy scope This DP Policy applies to The head office of Toolboxx Ltd
- All branches of Toolboxx Ltd
- All staff and volunteers of Toolboxx Ltd
- All contractors, suppliers and other people working on behalf of Toolboxx Ltd.
The DP Policy applies to all personal data that Toolboxx Ltd holds relating to identifiable individuals, even if that data falls outside of the provisions of the Act. Relevant personal data may include
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Any other information relating to individuals
Data Protection Risks
This DP Policy helps to protect Toolboxx Ltd from significant data security risks, including:
- Breaches of confidentiality. For instance, personal data being given out or disclosed inappropriately and/or otherwise than in accordance with the terms of the Act
- Failing to offer choice. For instance, all individuals should be free to choose how Toolboxx Ltd uses personal data relating to them
- Reputational damage. For instance, Toolboxx Ltd could suffer a loss of personal data if hackers successfully gained access to Toolboxx Ltd systems.
Everyone who works for or with Toolboxx Ltd has some degree of responsibility for ensuring that personal data is collected, stored and handled appropriately. Each team that handles personal data must ensure that such data is handled and processed in line with this DP Policy and all relevant data protection principles. However, the following persons have the key areas of responsibility as follows:
- The Board of Directors is ultimately responsible for ensuring that Toolboxx Ltd meets its legal obligations in respect of personla data and otherwise
- The Data Protection Officer is responsible for
- Keeping the Board of Directors updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule
- Arranging data protection training and advice for everybody affected by this DP Policy
- Handling data protection questions from staff and anyone else covered by this DP Policy
- Dealing with requests from individuals to see the data Toolboxx Ltd holds about them (also called ‘subject access requests’)
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
- The Operations Director is responsible for ensuring all systems, services and equipment used for storing personal data meet
Acceptable Security Standards
- Performing regular checks and scans to ensure security hardware and software is functioning properly
- Evaluating any third-party services which Toolboxx Ltd is considering using to store or process personal data (for example, cloud computing services).
- The Marketing Director is responsible for
- Approving any data protection statements attached to communications such as emails and letters
- Addressing any data protection queries from journalists or media outlets such as newspapers
- Where necessary, working with other staff to ensure marketing initiatives comply with data protection principles.
General Staff Guidelines
- The only people able to access data covered by this DP Policy should be those who need it for their work.
- Personal data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
- Toolboxx Ltd will provide training to all employees to help them understand their responsibilities when handling personal data.
- Employees should keep all personal data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords (as set out below) must be used and should never be shared.
- Personal data should not be disclosed to any unauthorised pesons, either within Toolboxx Ltd or externally.
- Personal data should be regularly reviewed and updated if it is found to be out of date. If no longer required, personal data should be deleted and disposed of securely.
- Employees should request help from their line manager or the Data Protection Officer if they are unsure about any aspect of data protection.
The provisiosn of this DP Policy set out how and where personal data should be safely stored and dealt with. Questions about storing personal data safely can be directed to the Operations Director or the Data Protection Officer. When personal data is stored on paper, it should be kept in a secure place where unauthorised persons cannot see or access it. The provisions of this DP Policy also apply to personal data that is usually stored electronically but has been printed. In those circumstances:
- When not required, all paper or other files containing persoal data must be kept in a locked drawer or Cloud Vault;
- Employees should make sure that paper and printouts containing personal data are not left where unauthorised people can see or access them (such as leaving paper or printouts on a printer);
- Printouts containing personal data should be shredded and disposed of securely when no longer required.
When personal data is stored electronically it must be protected from unauthorised access, accidental deletion and malicious hacking attempts as follows:
- Data should be protected by strong passwords that are changed regularly and never shared between employees;
- If data is stored on removable media (such as CDs or DVDs), these should be kept locked away securely when not being used;
- Personal data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing services;
- Servers containing personal data should be kept in a secure location, away from general office space;
- Personal data should be backed up frequently. Backups must be tested regularly, in line with Toolboxx Ltd standard backup procedures;
- Data should never be saved directly to laptops or other mobile devices such as tablets or smart phones.
- All servers and computers containing personal data should be protected by approved security software and a firewall.
Personal data is of no value to Toolboxx Ltd. However, the greatest risk of loss, corruption or theft to personal data exists when it is accessed and used. As such:
- When working with personal data, employees of Toolboxx Ltd should ensure that the screens of their computers are always locked when left unattended;
- Personal data should not be shared informally. In particular, personal data should never be sent by email as this is not considered to be a secure form of communication;
- Personal data must be encrypted before being transferred electronically. The Operations Director can explain how to send personal data to authorised external contacts securely and safely;
- Personal data should never be transferred outside of the European Economic Area;
- Employees should not save copies of personal data to their own computers. Always access and update the centrally stored copy of any personal data.
The law requires Toolboxx Ltd to take reasonable steps to ensure that personal data is kept accurate and up to date. Toolboxx Ltd shall at all times use appropriate measures to ensure the safety and security of personal data.
The more important it is that the personal data is accurate, the greater the effort Toolboxx Ltd should put into ensuring its accuracy.
It is the responsibility of all employees of Toolboxx Ltd who work with personal data to take reasonable steps to ensure that it is kept as accurately and up to date as possible.
Personal data will be held in the least number of places necessary to enable Toolboxx Ltd to process such personal data. Employees of Toolboxx Ltd may not create any unnecessary additional copies of personal data beyond that required for Toolboxx Ltd to meet its obligations under the Act and any business requirements.
Employees of Toolboxx Ltd should take every opportunity to ensure that personal data is updated as necessary, for example, by confirming a customer’s details when they call.
Toolboxx Ltd will make it as easy as possible for data subjects to update the personal data that Toolboxx Ltd holds about them (for example,, via Toolboxx Ltd website).
Personal data should be updated as and when inaccuracies are discovered. For example, if a customer can no longer be reached on their stored telephone number, this number should be removed from Toolboxx Ltd database at the earliest opportunity.
It is the Marketing Director’s responsibility to ensure that marketing databases are checked against industry suppression files at least once every six months.
Subject Access Requests
All individuals who have personal data held by Toolboxx Ltd are entitled to:
- Ask what personal data Toolboxx Ltd holds about them and why;
- Ask how to gain access to their personal data;
- Be informed by Toolboxx Ltd about methods to keep their personal data up to date;
- Be informed about how Toolboxx Ltd is meeting its data protection obligations.
If an individual contacts Toolboxx Ltd requesting the information above, this is called a “subject access request”. Subject access requests from individuals should be made by email, addressed to the Data Protection Officer at email@example.com. The Data Protection Officer can supply a standard request form for individuals to complete, although that form does not have to be used for a subject access request to be valid. Individuals will be charged £10 per subject access request. The Data Protection Officer will aim to provide the relevant personal data requested within 14 days of receipt of a subject access request. The Data Protection Officer will always verify the identity of anyone making a subject access request before providing them with any information.
Disclosing Personal Data For Other Reasons
In certain circumstances, the Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, Toolboxx Ltd will disclose requested personal data. However, the Data Protection Officer will endeavour to ensure that each request is legitimate and genuine, seeking assistance from the Board of Directors and from external legal advisers where necessary.
Toolboxx Ltd aims to ensure that individuals are aware that their personal data is being processed, and that they understand:
- How their personal data is being used and for what purpose; and
- How to exercise their rights of access to that personal data.
As such, Toolboxx Ltd has a privacy statement (below) setting out how data relating to individuals is used by Toolboxx Ltd.
If you have any questions about how we collect, store and use personal information, or if you have any other privacy-related questions, please contact us by any of the following means:
- Call us on 0800 840 1665
- E-mail us at: firstname.lastname@example.org
- Write to us at: Crown House, 1 Stafford Place, Weston super Mare, BS23 2QZ
The Personal Information We Collect About You
When you access and browse this Website and/or use our services (including when you submit personal information to us through data entry fields on the Website), we may collect the following information from you:
- Your name;
- Your address;
- Your phone, fax, mobile and e-mail details; and
- Your payment card and bank details.
How We May Store And Use Your Personal Information
We (or third party data processors acting on our behalf) may collect, store and use your personal information listed above for the following purposes:
- To make this Website and / or our services available to you and to provide you with content which is tailored to your individual tastes;
- To administer your account, services and products;
- To identify you when you call;
- To help with the detection and prevention of crime, fraud or loss and to assist in debt recovery;
- To communicate with you on any matter relating to the conduct and/or provision of services in general;
- To provide your personal information to third party suppliers (with your consent) to fulfil a service requirement as requested by you;
- With your consent, to contact you from time to time by letter, phone (including by automatic calling units), fax, e-mail or SMS to inform you of our services or products which we believe you may be interested in.
Other than disclosures we make to third parties that we engage to act on our behalf, we will not disclose, sell or rent your personal information to any third party for commercial or other purposes. However, if a third party acquires all (or substantially all) of our business and/or assets, we may disclose your personal information to that third party in connection with the acquisition. We may also disclose your personal information where we are required to do so by applicable law, by a governmental body or by a law enforcement agency. In addition, we may also carry out credit and fraud prevention checks with licensed credit reference and fraud prevention agencies and they will retain a copy of the search. Information from your application and payment details of your account may be recorded by these agencies and may be shared with other organisations to help make credit and insurance decisions about you and members of your household and for debt collection and fraud prevention purposes. Finally, we may also collect anonymised details about visitors to our Website and / or our service for the purposes of aggregate statistics, reporting purposes and monitoring the Website and/or our service usage. However, no single individual will be identifiable from the anonymised details we collect for these purposes.
Whilst we take appropriate technical and organisational measures to safeguard the personal information that you provide to us, no transmission over the Internet can ever be guaranteed to be secure. Consequently, please note that we cannot guarantee the security of any personal information that you transfer to us over the Internet.
You have the following rights:
- The right to ask us to provide you with copies of personal information that we hold about you at any time, subject to the payment by you of a fee specified by law (currently £10);
- The right to ask us to update and correct any out-of-date or incorrect personal information that we hold about you, free of charge; and
- The right to opt out of any marketing communications that we (or any third party to whom we have disclosed your personal information with your consent) may send you.
If you wish to exercise any of the above rights, please contact us (either by post or by e-mail) at the address specified above.
Third Party Sites
Regulations For The Use Of Computer Facilities Offered
These regulations apply to the use of all local IT facilities at the Registered Office and to facilities provided by Toolboxx Ltd to its employees for use at home or off site (“the Network”). Please note that breaches of this electronic communications policy (“EC Policy”) will be considered to be gross misconduct in respect of which you may be dismissed. The Network provided or made available by Toolboxx Ltd for use by its employees may be used only in connection with employees’ work for Toolboxx Ltd. The Network must not be used for work of undeclared financial benefit to employees or the transmission of unsolicited commercial material without the express permission, in writing, of the Managing Director of Toolboxx Ltd.
Employees must not interfere with the work of others or the system itself. The Network must be used in a responsible manner at all times. In particular, employees must not:
- Access, store or distribute material which is designed or likely to cause annoyance, inconvenience, needless anxiety or offence;
- Access, store or distribute obscene, offensive, harmful or indecent material, pornography, etc;
- Access, store or distribute defamatory material;
- Access, store or distribute material such that the copyright of another person is or may be infringed;
- Use the Network for playing games;
- Use for any kind of personal gain (e.g. advertising goods or services);
- gain deliberate unauthorised access to facilities or services accessible via local or national networks or access, store or distribute programmes designed to facilitate such access;
- engage in activities which waste resources (people’s time or the Network) or which are liable to cause a disruption or denial of service to other users. This includes, but is not limited to, the following:
- the introduction of viruses into computer systems;
- use of Internet Relay Chat facilities;
- use of peer-to-peer networking products; or
- use of internet radio or similar streamed media services;
- engage in activities which are illegal or which might contribute to the commission of an illegal act;
- engage in any transaction purporting to be representing Toolboxx Ltd when not authorised.
You must not gain unauthorised access to or violate the privacy of other peoples’ files, corrupt or destroy other peoples’ data or disrupt the work of other people. It is your responsibility to prevent inappropriate access to your files. Your password must be kept safe, changed regularly and not be disclosed to anyone. You must not send electronic mail from the Network which is irresponsible, or likely to cause offence nor use network messaging without authority. “Irresponsible” use includes unsolicited postings to large numbers of people or indiscriminate postings. Email to clients and customers must follow Toolboxx Ltd designated house style, which will be supplied to authorised users. Failure to follow house style is a disciplinary matter and will be dealt with under Toolboxx Ltd disciplinary procedure (“Disciplinary Procedure”). It is easy for viruses to enter the Network. Therefore, you should never open attachments from an unknown source.
Never use the Internet to transmit confidential personal or business sensitive information. A small amount of personal email use on the Network during working hours is acceptable, but not where the perusal and sending of such emails impnges upon your work either in terms of denial of service or in loss of working time to Toolboxx Ltd. The use of instant messaging is expressly prohibited at work. Employees are also prohibited from using emails to circulate any non- business material. Not only does excessive time spent online lead to loss of productivity and constitute unauthorised use of Toolboxx Ltd time, but also sexist, racist or other offensive remarks, statements, materials and/or jokes sent by email are capable of amounting to unlawful harassment. Employees who are discovered contravening these rules may face serious disciplinary action under the Disciplinary Procedure. Toolboxx Ltd does not normally examine the contents of email or files belonging to computer users, but it reserves the right to do so if necessary, in Toolboxx Ltd opinion, in order to maintain the functionality of IT system or where Toolboxx Ltd has reason to believe that the provisions of this EC Policy are being breached. Users are therefore advised that such monitoring can and may occur. Please note, email messages, even when they have been deleted from the Company’s email system can be traced, retrieved and the person or persons involved in creating or forwarding any offending email identified. Emails are admissible as evidence in a court of law. Toolboxx Ltd recognises that it is not always possible to control incoming mail. Any material which would be considered as non-businesslike, sexually explicit, indecent, inappropriate or offensive should be deleted at once. Any member of staff who finds that they are receiving such communication from known sources is responsible for contacting that source in order to request that such communication is not repeated. Toolboxx Ltd will hold individual employees personally liable if Toolboxx Ltd or any of their customer or clients suffer any loss, cost, expenses or damage to its reputation or goodwill as a result of any breach of this EC Policy. You must comply with the requirements of all relevant legislation when using the Network. Toolboxx Ltd are guardians of considerable amounts of sensitive data and it is vital for our business integrity that care is taken to safeguard both the information and the database systems themselves.
Summary Use of Email
No email may be sent using the contain any references to other individuals which might be construed as libelous. No email communication which might be regarded as harassing or insulting may be sent using the Network. Complaints about the performance or service of other departments or individuals within Toolboxx Ltd must be made on a face to face basis as is normal courteous practice. Toolboxx Ltd recognises that it is not always possible to control incoming mail. Any material which would reasonably be considered not to be businesslike, sexually explicit, indecent, inappropriate or offensive should be deleted immediately without opening any attachments. Any employee of Toolboxx Ltd who finds that they are receiving such communication from known sources is responsible for contacting that source in order to request that such communication is not repeated. If employees of Toolboxx Ltd receive virus warnings via emai, they should take no action whatsoever other than informing Toolboxx Ltd IT staff immediately. Emails sent internally may be sent in an informal style, but staff are asked to observe the normal courtesy that they would extend in written memos in accordance with Toolboxx Ltd house style. Emails which are sent to recipients outside Toolboxx Ltd should be composed in a businesslike manner. A guideline for suitable styles is available on Toolboxx Ltd Intranet and this should be followed at all times. Any attachments (such as letters) must be headed and written accordingly to the normal house style. Unsolicited emails may not be sent from the Network at any time. Any ‘junk’ email received must be deleted immediately. Any attachments received within an email must be checked for viruses before opening. Toolboxx Ltd email address book will be maintained by it’s IT staff to whom changes should be notified immediately. Email addresses and passwords for all employees will be issued by IT staff and may not be changed without their authorisation. It is a disciplinary offence to access another individual’s email facility by using their password without express permission.
Computer Software, Games And Viruses
Toolboxx Ltd licences the use of computer software from a variety of outside companies. Toolboxx Ltd does not own this software and, unless authorised by the software developer, neither Toolboxx Ltd nor any of its employees have the right to reproduce it. To do so constitutes an infringement of copyright. Contravention of these provisions is a disciplinary matter and will be dealt with in accordance with the Disciplinary Procedure.
Toolboxx Ltd Network makes it vulnerable to viruses. Therefore, only duly authorised personnel have the authority to load new software onto the Network. Software may be loaded onto the Network only after having been checked for viruses by authorised personnel. Any employee found to be contravening this provision will face disciplinary action under the Disciplinary Procedure. Employees may only access any computer games that are on the Network outside their normal working hours. Toolboxx Ltd may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 1st January 2016.